In [5]:
from pathlib import Path
import pandas as pd
import numpy as np
import sys
import os
import pickle
from contextlib import contextmanager

from sklearn.compose import ColumnTransformer
from sklearn.impute import SimpleImputer
from sklearn.preprocessing import TargetEncoder, OneHotEncoder, StandardScaler
from sklearn.model_selection import train_test_split, GridSearchCV
from sklearn.feature_selection import RFE
from sklearn.pipeline import Pipeline
from sklearn.ensemble import RandomForestClassifier, GradientBoostingClassifier, HistGradientBoostingClassifier
from sklearn.calibration import CalibratedClassifierCV
from sklearn.metrics import accuracy_score, classification_report
from sklearn import set_config
set_config(enable_metadata_routing=True)

import plotly.graph_objects as go
import plotly.express as px
from plotly.subplots import make_subplots

from time import monotonic, sleep

from utils.data_processing import load_data, raw_columns, full_dtypes, transform_datetime, df_ua_parser, transform_ipinfo, transform_packetinfo, transform_proxyinfo
from utils.io import suppress_output

In [6]:
# # Ask Claude for a solution because it was triggering me
# @contextmanager
# def suppress_output():
#     """Context manager to suppress stdout and stderr"""
#     with open(os.devnull, 'w') as devnull:
#         old_stdout = sys.stdout
#         old_stderr = sys.stderr
#         sys.stdout = devnull
#         sys.stderr = devnull
#         try:
#             yield
#         finally:
#             sys.stdout = old_stdout
#             sys.stderr = old_stderr

# Input Data Processing

In [14]:
RANDOM_STATE = 124
data_path = Path("./data")
if data_path.joinpath("first_ml_processing.csv").exists():
    processed_data = pd.read_csv(data_path.joinpath("first_ml_processing.csv"))
    raw_data = pd.read_csv(data_path.joinpath("cybersecurity_attacks.csv"))
    
    ip_cols = ["Int Source IP", "Int Destination IP", "Global Source IP", "Global Destination IP"]
    raw_data[ip_cols] = transform_ipinfo(raw_data[["Source IP Address", "Destination IP Address"]])
else:
    # Must use clean_data function to load data 
    dtypes = {col: col_type for col, col_type in full_dtypes.items() if col in raw_columns}
    raw_data = load_data(data_path.joinpath("cybersecurity_attacks.csv"), dtype=dtypes)

    datetime_cols = ["Year", "Month", "Day", "Hour", "Minute", "Second", "DayOfWeek", "IsWeekend"]
    raw_data[datetime_cols] = transform_datetime(raw_data["Timestamp"])
    device_cols = ["String","Browser Name", "Browser Version", "Browser Minor", "Browser Patch",
                    "Browser Patch Minor", "OS Name", "OS Version", "OS Version Minor",
                    "OS Version Patch", "OS Version Patch Minor", "Device Brand", "Device Model",
                    "Device Type"]
    raw_data[device_cols] = df_ua_parser(raw_data["Device Information"])
    proxy_cols = ["Is Proxy"]
    raw_data[proxy_cols] = transform_proxyinfo(raw_data["Proxy Information"])
    ip_cols = ["Int Source IP", "Int Destination IP", "Global Source IP", "Global Destination IP"]
    raw_data[ip_cols] = transform_ipinfo(raw_data[["Source IP Address", "Destination IP Address"]])
    packet_cols = ["Packet Bin"]
    raw_data[packet_cols] = transform_packetinfo(raw_data["Packet Length"], scale=False)

    processed_data = raw_data.drop(columns=["Payload Data","Timestamp", "String", "Device Information",
                                    "Proxy Information", "Source IP Address", "Destination IP Address"])
    processed_data.to_csv(data_path.joinpath("first_ml_processing.csv"), index=False)


# Baseline Model
The baseline model considers all features. <br>
Numerical values are kept that way and all others features are one-hot encoded.


In [15]:
Y_true = raw_data["Attack Type"].astype("category").cat.codes
labels = ["DDoS", "Intrusion", "Malware"]
X_dataset = raw_data.drop(columns=["Attack Type", "Global Source IP", "Global Destination IP",
                                   "Source IP Address", "Destination IP Address"])

In [16]:
cat_cols = X_dataset.select_dtypes(include=["str", "category"]).columns
print("Categorical columns:", cat_cols.tolist())
bool_cols = X_dataset.select_dtypes(include=["bool"]).columns
print("Boolean columns:", bool_cols.tolist())
num_cols = X_dataset.select_dtypes(include=["int64", "float64"]).columns
print("Numerical columns:", num_cols.tolist())
passthrough_cols = [col for col in X_dataset.columns if col not in cat_cols and col not in bool_cols and col not in num_cols]

_tmp = SimpleImputer(strategy="constant", fill_value="unknown").fit_transform(X_dataset[cat_cols])
_tmp_ohe = OneHotEncoder(drop="first", handle_unknown="ignore").fit(_tmp)
all_categories = _tmp_ohe.categories_

Boolean columns: []
Numerical columns: ['Source Port', 'Destination Port', 'Packet Length', 'Anomaly Scores', 'Int Source IP', 'Int Destination IP']


### Pipeline

In [17]:
numeric_transformer_all = Pipeline(
    steps=[
        ("imputer", SimpleImputer(strategy="mean")),
        ("scaler", StandardScaler())
    ]
)

cat_transformer_all = Pipeline([
    ("imputer", SimpleImputer(missing_values=np.nan, strategy="constant", fill_value="unknown")),
    ("encoder", OneHotEncoder(drop="first", handle_unknown="ignore", sparse_output=True, categories=all_categories))
])

preprocessor_all = ColumnTransformer(
    transformers=[
        ("cat", cat_transformer_all, cat_cols),
        ("num", numeric_transformer_all, num_cols)
    ]
)

classifier_all = RandomForestClassifier(
    random_state=RANDOM_STATE, 
    n_estimators=200, 
    max_depth=20, 
    min_samples_split=5,
    n_jobs=6,
    verbose=1
)

base_model = Pipeline(
    steps=[
        ("preprocessor", preprocessor_all),
        ("classifier", classifier_all)
    ]
)


In [None]:
X_train, X_test, y_train, y_test = train_test_split(X_dataset, Y_true, test_size=0.2, stratify=Y_true, random_state=RANDOM_STATE)
start_time = monotonic()
base_model.fit(X_train, y_train)
elapsed_time = monotonic() - start_time

# Suppress verbose output from score() and predict()
with suppress_output():
    score = base_model.score(X_test, y_test)
    y_pred = base_model.predict(X_test)
    report = classification_report(y_test, y_pred, target_names=labels)

print("Time taken to fit the model: %.2f seconds" % elapsed_time)
print("Model score: %.3f" % score)
print(report)

[Parallel(n_jobs=6)]: Using backend ThreadingBackend with 6 concurrent workers.
[Parallel(n_jobs=6)]: Done  38 tasks      | elapsed:    1.1s
[Parallel(n_jobs=6)]: Done 188 tasks      | elapsed:    4.5s
[Parallel(n_jobs=6)]: Done 200 out of 200 | elapsed:    4.9s finished


Time taken to fit the model: 5.80 seconds
Model score: 0.338
              precision    recall  f1-score   support

        DDoS       0.34      0.88      0.49      2686
   Intrusion       0.37      0.06      0.10      2653
     Malware       0.32      0.06      0.11      2661

    accuracy                           0.34      8000
   macro avg       0.34      0.34      0.23      8000
weighted avg       0.34      0.34      0.23      8000



### Feature Importance

In [None]:
importances = base_model.named_steps['classifier'].feature_importances_
std = np.std([tree.feature_importances_ for tree in base_model.named_steps['classifier'].estimators_], axis=0)
feature_names = [f"{x}" for x in base_model.named_steps["preprocessor"].get_feature_names_out()]
forest_importances = pd.DataFrame({"feature": feature_names, "importance": importances, "std": std}).sort_values("importance", ascending=False)

fig = px.bar(forest_importances[forest_importances["importance"] > 0.003],x="feature",y="importance", error_y="std", title="Feature importances using MDI")
fig.show()

## Atomic Features Categories

In [None]:
X_dataset = raw_data.drop(columns=["Attack Type", "Global Source IP", "Global Destination IP",
                                   "Source IP Address", "Destination IP Address"])

In [None]:
cat_cols = X_dataset.select_dtypes(include=["str", "category"]).columns
print("Categorical columns:", cat_cols.tolist())
bool_cols = X_dataset.select_dtypes(include=["bool"]).columns
print("Boolean columns:", bool_cols.tolist())
num_cols = X_dataset.select_dtypes(include=["int64", "float64"]).columns
print("Numerical columns:", num_cols.tolist())
passthrough_cols = [col for col in X_dataset.columns if col not in cat_cols and col not in bool_cols and col not in num_cols]

_tmp = SimpleImputer(strategy="constant", fill_value="unknown").fit_transform(X_dataset[cat_cols])
_tmp_ohe = OneHotEncoder(drop="first", handle_unknown="ignore").fit(_tmp)
all_categories = _tmp_ohe.categories_

### Pipeline Definition

In [None]:

numeric_transformer = Pipeline(
        steps = [("scaler", StandardScaler())]
    )

categorical_transformer = Pipeline([
        ("imputer", SimpleImputer(missing_values=np.nan, strategy="constant", fill_value="unknown")),
        ("encoder", OneHotEncoder(handle_unknown="ignore", drop="first", sparse_output=True, max_categories=40)) #Limit categories to 40 to prevent too much indiviual features after encoding
        ])
boolean_transformer = Pipeline([
        ("encoder", TargetEncoder(target_type="binary")),
        ])

preprocessor = ColumnTransformer(
        transformers=[
            ("cat", categorical_transformer, cat_cols),
            ("num", numeric_transformer, num_cols),
            ("bool", boolean_transformer, bool_cols)
        ]
    )

cstr_model = Pipeline([
        ("preprocessor", preprocessor),
        ("classifier", RandomForestClassifier(n_estimators=200, random_state=RANDOM_STATE, n_jobs=6, verbose=1))
    ])

### Model Fitting and Result

In [None]:
X_train, X_test, y_train, y_test = train_test_split(X_dataset, Y_true, test_size=0.2, stratify=Y_true, random_state=RANDOM_STATE)
start_time = monotonic()
cstr_model.fit(X_train, y_train)
elapsed_time = monotonic() - start_time

# Suppress verbose output from score() and predict()
with suppress_output():
    score = cstr_model.score(X_test, y_test)
    y_pred = cstr_model.predict(X_test)

report = classification_report(y_test, y_pred, target_names=labels)

print("Time taken to fit the model: %.2f seconds" % elapsed_time)
print("Model score: %.3f" % score)
print(report)

[Parallel(n_jobs=6)]: Using backend ThreadingBackend with 6 concurrent workers.
[Parallel(n_jobs=6)]: Done  38 tasks      | elapsed:    2.1s
[Parallel(n_jobs=6)]: Done 188 tasks      | elapsed:    9.8s
[Parallel(n_jobs=6)]: Done 200 out of 200 | elapsed:   10.4s finished


Time taken to fit the model: 11.33 seconds
Model score: 0.333
              precision    recall  f1-score   support

        DDoS       0.34      0.52      0.41      2686
   Intrusion       0.32      0.20      0.25      2653
     Malware       0.33      0.27      0.30      2661

    accuracy                           0.33      8000
   macro avg       0.33      0.33      0.32      8000
weighted avg       0.33      0.33      0.32      8000



### Feature Importance

In [None]:
importances = cstr_model.named_steps['classifier'].feature_importances_
std = np.std([tree.feature_importances_ for tree in cstr_model.named_steps['classifier'].estimators_], axis=0)
feature_names = [f"{x}" for x in cstr_model.named_steps["preprocessor"].get_feature_names_out()]
forest_importances = pd.DataFrame({"feature": feature_names, "importance": importances, "std": std}).sort_values("importance", ascending=False)

fig = px.bar(forest_importances[forest_importances["importance"] > 0.01],x="feature",y="importance", error_y="std", title="Feature importances using MDI")
fig.show()

## No pre-defined categories

### Pipeline Definition

In [None]:
numeric_transformer_all = Pipeline(
    steps=[
        ("imputer", SimpleImputer(strategy="mean")),
        ("scaler", StandardScaler())
    ]
)

cat_transformer_all = Pipeline([
    ("imputer", SimpleImputer(missing_values=np.nan, strategy="constant", fill_value="unknown")),
    ("encoder", OneHotEncoder(drop="first", handle_unknown="ignore", sparse_output=True))
])

preprocessor_all = ColumnTransformer(
    transformers=[
        ("cat", cat_transformer_all, cat_cols),
        ("num", numeric_transformer_all, num_cols)
    ]
)

classifier_all = RandomForestClassifier(
    random_state=RANDOM_STATE, 
    n_estimators=200, 
    max_depth=20, 
    min_samples_split=5,
    n_jobs=6,
    verbose=1
)

comp_model = Pipeline(
    steps=[
        ("preprocessor", preprocessor_all),
        ("classifier", classifier_all)
    ]
)


### Model Fitting and Result

In [None]:
start_time = monotonic()
comp_model.fit(X_train, y_train)
elapsed_time = monotonic() - start_time

# Suppress verbose output from score() and predict()
with suppress_output():
    score = comp_model.score(X_test, y_test)
    y_pred = comp_model.predict(X_test)

report = classification_report(y_test, y_pred, target_names=labels)

print("Time taken to fit the model: %.2f seconds" % elapsed_time)
print("Model score: %.3f" % score)
print(report)

[Parallel(n_jobs=6)]: Using backend ThreadingBackend with 6 concurrent workers.
[Parallel(n_jobs=6)]: Done  38 tasks      | elapsed:    0.1s
[Parallel(n_jobs=6)]: Done 188 tasks      | elapsed:    0.5s
[Parallel(n_jobs=6)]: Done 200 out of 200 | elapsed:    0.5s finished


Time taken to fit the model: 1.07 seconds
Model score: 0.330
              precision    recall  f1-score   support

        DDoS       0.33      0.87      0.48      2686
   Intrusion       0.33      0.05      0.09      2653
     Malware       0.30      0.06      0.10      2661

    accuracy                           0.33      8000
   macro avg       0.32      0.33      0.22      8000
weighted avg       0.32      0.33      0.22      8000



Huge precision according to DDoS but rest is very low. Means using smote/smotetomek need to balance the synthetic data to more Intrusion & Malware!! <br> try to remove payload and timestamp maybe

In [None]:
importances = comp_model.named_steps['classifier'].feature_importances_
std = np.std([tree.feature_importances_ for tree in comp_model.named_steps['classifier'].estimators_], axis=0)
feature_names = [f"{x}" for x in comp_model.named_steps["preprocessor"].get_feature_names_out()]
forest_importances = pd.DataFrame({"feature": feature_names, "importance": importances, "std": std}).sort_values("importance", ascending=False)

fig = px.bar(forest_importances[forest_importances["importance"] > 0.002],x="feature",y="importance", error_y="std", title="Feature importances using MDI")
fig.show()

# Basic Models

## Model with all granular features

Because we are not combining features, all numerical features with missing values will not be considered. There is no method to apply a specific method to replace it for features like OS version patch minor or browser patch minor without getting extra data <br>
All granular is used and we removed all unnecessary features from the raw file

In [None]:
X_dataset = processed_data.copy().drop(columns=["Attack Type", "Browser Patch" , "Browser Patch Minor",
                                                "OS Version", "OS Version Minor", "OS Version Patch", "OS Version Patch Minor",
                                                "Device Type", "User Information", "Geo-location Data"])

### Pipeline Definition

In [None]:
cat_cols = X_dataset.select_dtypes(include=["str", "category"]).columns
print("Categorical columns:", cat_cols.tolist())
bool_cols = X_dataset.select_dtypes(include=["bool"]).columns
print("Boolean columns:", bool_cols.tolist())
num_cols = X_dataset.select_dtypes(include=["int64", "float64"]).columns
print("Numerical columns:", num_cols.tolist())
passthrough_cols = [col for col in X_dataset.columns if col not in cat_cols and col not in bool_cols and col not in num_cols]

numeric_transformer = Pipeline(
        steps = [("scaler", StandardScaler())]
    )

categorical_transformer = Pipeline([
        ("imputer", SimpleImputer(missing_values=np.nan, strategy="constant", fill_value="unknown")),
        ("encoder", OneHotEncoder(handle_unknown="ignore", drop="first"))
        ])
boolean_transformer = Pipeline([
        ("encoder", TargetEncoder(target_type="binary")),
        ])

preprocessor = ColumnTransformer(
        transformers=[
            ("cat", categorical_transformer, cat_cols),
            ("num", numeric_transformer, num_cols),
            ("bool", boolean_transformer, bool_cols)
        ]
    )

first_model = Pipeline([
        ("preprocessor", preprocessor),
        ("classifier", RandomForestClassifier(n_estimators=100, random_state=RANDOM_STATE, n_jobs=6, verbose=1))
    ])

Boolean columns: ['Is Proxy', 'Global Source IP', 'Global Destination IP']
Numerical columns: ['Source Port', 'Destination Port', 'Packet Length', 'Anomaly Scores', 'Year', 'Month', 'Day', 'Hour', 'Minute', 'Second', 'DayOfWeek', 'IsWeekend', 'Browser Version', 'Browser Minor', 'Int Source IP', 'Int Destination IP']


### Model Fitting and Result

In [None]:
X_train, X_test, y_train, y_test = train_test_split(X_dataset, Y_true, test_size=0.2, stratify=Y_true, random_state=RANDOM_STATE)
start_time = monotonic()
first_model.fit(X_train, y_train)
elapsed_time = monotonic() - start_time

# Suppress verbose output from score() and predict()
with suppress_output():
    score = first_model.score(X_test, y_test)
    y_pred = first_model.predict(X_test)

report = classification_report(y_test, y_pred, target_names=labels)

print("Time taken to fit the model: %.2f seconds" % elapsed_time)
print("Model score: %.3f" % score)
print(report)

[Parallel(n_jobs=6)]: Using backend ThreadingBackend with 6 concurrent workers.
[Parallel(n_jobs=6)]: Done  38 tasks      | elapsed:    0.5s
[Parallel(n_jobs=6)]: Done 100 out of 100 | elapsed:    1.3s finished


Time taken to fit the model: 1.58 seconds
Model score: 0.320
              precision    recall  f1-score   support

        DDoS       0.33      0.35      0.34      2686
   Intrusion       0.31      0.30      0.31      2653
     Malware       0.32      0.31      0.31      2661

    accuracy                           0.32      8000
   macro avg       0.32      0.32      0.32      8000
weighted avg       0.32      0.32      0.32      8000



So nothing new. We obtain a 1/3 which is expected from randomness

### Feature Importance

In [None]:
importances = first_model.named_steps['classifier'].feature_importances_
std = np.std([tree.feature_importances_ for tree in first_model.named_steps['classifier'].estimators_], axis=0)
feature_names = [f"{x}" for x in first_model.named_steps["preprocessor"].get_feature_names_out()]
forest_importances = pd.DataFrame({"feature": feature_names, "importance": importances, "std": std}).sort_values("importance", ascending=False)

fig = px.bar(forest_importances[forest_importances["importance"] > 0.002],x="feature",y="importance", error_y="std", title="Feature importances using MDI")
fig.show()

Each feature show very low importance (most below 5%) but all numerical features seems to carry the most information

## 2nd model: Numeric as categories


Some numeric features are considered as categories now. All features related to date and time information as well as the one related to browser and device version

In [None]:
Xcat_dataset = X_dataset.copy()
columns = ["Year", "Month", "Day", "Hour", "Minute", "Second", "DayOfWeek", "Browser Version", "Browser Minor"]
Xcat_dataset[columns] = Xcat_dataset[columns].astype("category")

### Pipeline Definition

In [None]:
cat_cols = Xcat_dataset.select_dtypes(include=["str", "category"]).columns
print("Categorical columns:", cat_cols.tolist())
bool_cols = Xcat_dataset.select_dtypes(include=["bool"]).columns
print("Boolean columns:", bool_cols.tolist())
num_cols = Xcat_dataset.select_dtypes(include=["int64", "float64"]).columns
print("Numerical columns:", num_cols.tolist())
passthrough_cols = [col for col in Xcat_dataset.columns if col not in cat_cols and col not in bool_cols and col not in num_cols]

numeric_transformer = Pipeline(
        steps = [("scaler", StandardScaler())]
    )

categorical_transformer = Pipeline([
        ("imputer", SimpleImputer(missing_values=np.nan, strategy="constant", fill_value="unknown")),
        ("encoder", OneHotEncoder(handle_unknown="ignore", drop="first"))
        ])
boolean_transformer = Pipeline([
        ("encoder", TargetEncoder(target_type="binary")),
        ])

preprocessor = ColumnTransformer(
        transformers=[
            ("cat", categorical_transformer, cat_cols),
            ("num", numeric_transformer, num_cols),
            ("bool", boolean_transformer, bool_cols)
        ]
    )

cat_model = Pipeline([
        ("preprocessor", preprocessor),
        ("classifier", RandomForestClassifier(n_estimators=100, random_state=RANDOM_STATE, n_jobs=6, verbose=1))
    ])

Boolean columns: ['Is Proxy', 'Global Source IP', 'Global Destination IP']
Numerical columns: ['Source Port', 'Destination Port', 'Packet Length', 'Anomaly Scores', 'IsWeekend', 'Int Source IP', 'Int Destination IP']


### Model Fitting and Result

In [None]:
X_train, X_test, y_train, y_test = train_test_split(X_dataset, Y_true, test_size=0.2, stratify=Y_true, random_state=RANDOM_STATE)
start_time = monotonic()
cat_model.fit(X_train, y_train)
elapsed_time = monotonic() - start_time

# Suppress verbose output from score() and predict()
with suppress_output():
    score = cat_model.score(X_test, y_test)
    y_pred = cat_model.predict(X_test)

report = classification_report(y_test, y_pred, target_names=labels)

print("Time taken to fit the model: %.2f seconds" % elapsed_time)
print("Model score: %.3f" % score)
print(report)

[Parallel(n_jobs=6)]: Using backend ThreadingBackend with 6 concurrent workers.
[Parallel(n_jobs=6)]: Done  38 tasks      | elapsed:    3.2s
[Parallel(n_jobs=6)]: Done 100 out of 100 | elapsed:    7.6s finished


Time taken to fit the model: 7.94 seconds
Model score: 0.341
              precision    recall  f1-score   support

        DDoS       0.34      0.38      0.36      2686
   Intrusion       0.34      0.33      0.33      2653
     Malware       0.34      0.31      0.33      2661

    accuracy                           0.34      8000
   macro avg       0.34      0.34      0.34      8000
weighted avg       0.34      0.34      0.34      8000



Not better. Same score and no improvement

### Feature Importance

In [None]:
importances = cat_model.named_steps['classifier'].feature_importances_
std = np.std([tree.feature_importances_ for tree in cat_model.named_steps['classifier'].estimators_], axis=0)
feature_names = [f"{x}" for x in cat_model.named_steps["preprocessor"].get_feature_names_out()]
forest_importances = pd.DataFrame({"feature": feature_names, "importance": importances, "std": std}).sort_values("importance", ascending=False)

fig = px.bar(forest_importances[forest_importances["importance"] > 0.01],x="feature",y="importance", error_y="std", title="Feature importances using MDI")
fig.show()

## 3rd Model: Feature Combination


For the third model we will combine some features.
First ones are: features related to browser will be merged, features related to device will be merged together and (Protocol,Packet Type,Scale Packet Length) will be merged (from the features analysis it was the one with the higher mean between min max of each combination) <br>
Anomaly score will be multiply by itself

In [None]:
Xmer_dataset = X_dataset.copy()
Xmer_dataset["Browser"] = Xmer_dataset["Browser Name"] + "_" + Xmer_dataset["Browser Version"].astype(str) + "_" + Xmer_dataset["Browser Minor"].astype(str)
Xmer_dataset = Xmer_dataset.drop(columns=["Browser Name", "Browser Version", "Browser Minor"])
Xmer_dataset["Device"] = Xmer_dataset["Device Brand"] + "_" + Xmer_dataset["Device Model"]
Xmer_dataset = Xmer_dataset.drop(columns=["Device Brand", "Device Model"])
columns = ["Year", "Month", "Day", "Hour", "Minute", "Second", "DayOfWeek"]
Xmer_dataset[columns] = Xmer_dataset[columns].astype("category")
Xmer_dataset["Syn_feature_1"] = Xmer_dataset["Protocol"] + "_" + Xmer_dataset["Packet Type"] + Xmer_dataset["Traffic Type"]
Xmer_dataset = Xmer_dataset.drop(columns=["Protocol", "Packet Type", "Traffic Type"])
Xmer_dataset["Syn_feature_2"] = Xmer_dataset["Malware Indicators"] + "_" + Xmer_dataset["Alerts/Warnings"] + "_" + Xmer_dataset["IDS/IPS Alerts"]
Xmer_dataset = Xmer_dataset.drop(columns=["Malware Indicators", "Alerts/Warnings", "IDS/IPS Alerts"])
Xmer_dataset["Syn_feature_3"] = Xmer_dataset["Anomaly Scores"]**2
Xmer_dataset = Xmer_dataset.drop(columns=["Anomaly Scores"])


### Pipeline Defition

In [None]:
cat_cols = Xmer_dataset.select_dtypes(include=["str", "category"]).columns
print("Categorical columns:", cat_cols.tolist())
bool_cols = Xmer_dataset.select_dtypes(include=["bool"]).columns
print("Boolean columns:", bool_cols.tolist())
num_cols = Xmer_dataset.select_dtypes(include=["int64", "float64"]).columns
print("Numerical columns:", num_cols.tolist())
passthrough_cols = [col for col in Xmer_dataset.columns if col not in cat_cols and col not in bool_cols and col not in num_cols]

numeric_transformer = Pipeline(
        steps = [("scaler", StandardScaler())]
    )

categorical_transformer = Pipeline([
        ("imputer", SimpleImputer(missing_values=np.nan, strategy="constant", fill_value="unknown")),
        ("encoder", OneHotEncoder(handle_unknown="ignore", drop="first"))
        ])
boolean_transformer = Pipeline([
        ("encoder", TargetEncoder(target_type="binary")),
        ])

preprocessor = ColumnTransformer(
        transformers=[
            ("cat", categorical_transformer, cat_cols),
            ("num", numeric_transformer, num_cols),
            ("bool", boolean_transformer, bool_cols)
        ]
    )

mer_model = Pipeline([
        ("preprocessor", preprocessor),
        ("classifier", RandomForestClassifier(n_estimators=100, random_state=RANDOM_STATE, n_jobs=6, verbose=1))
    ])

Categorical columns: ['Attack Signature', 'Action Taken', 'Severity Level', 'Network Segment', 'Firewall Logs', 'Log Source', 'Year', 'Month', 'Day', 'Hour', 'Minute', 'Second', 'DayOfWeek', 'OS Name', 'Packet Bin', 'Browser', 'Device', 'Syn_feature_1', 'Syn_feature_2']
Boolean columns: ['Is Proxy', 'Global Source IP', 'Global Destination IP']
Numerical columns: ['Source Port', 'Destination Port', 'Packet Length', 'IsWeekend', 'Int Source IP', 'Int Destination IP', 'Syn_feature_3']


### Model Fitting and Result

In [None]:
X_train, X_test, y_train, y_test = train_test_split(Xmer_dataset, Y_true, test_size=0.2, stratify=Y_true, random_state=RANDOM_STATE)
start_time = monotonic()
mer_model.fit(X_train, y_train)
elapsed_time = monotonic() - start_time

# Suppress verbose output from score() and predict()
with suppress_output():
    score = mer_model.score(X_test, y_test)
    y_pred = mer_model.predict(X_test)

report = classification_report(y_test, y_pred, target_names=labels)

print("Time taken to fit the model: %.2f seconds" % elapsed_time)
print("Model score: %.3f" % score)
print(report)

[Parallel(n_jobs=6)]: Using backend ThreadingBackend with 6 concurrent workers.
[Parallel(n_jobs=6)]: Done  38 tasks      | elapsed:    2.7s
[Parallel(n_jobs=6)]: Done 100 out of 100 | elapsed:    6.5s finished


Time taken to fit the model: 6.76 seconds
Model score: 0.333
              precision    recall  f1-score   support

        DDoS       0.33      0.36      0.35      2686
   Intrusion       0.34      0.33      0.33      2653
     Malware       0.33      0.31      0.32      2661

    accuracy                           0.33      8000
   macro avg       0.33      0.33      0.33      8000
weighted avg       0.33      0.33      0.33      8000



### Feature Importance

In [None]:
importances = mer_model.named_steps['classifier'].feature_importances_
std = np.std([tree.feature_importances_ for tree in mer_model.named_steps['classifier'].estimators_], axis=0)
feature_names = [f"{x}" for x in mer_model.named_steps["preprocessor"].get_feature_names_out()]
forest_importances = pd.DataFrame({"feature": feature_names, "importance": importances, "std": std}).sort_values("importance", ascending=False)
fig = px.bar(forest_importances[forest_importances["importance"] > 0.01],x="feature",y="importance", error_y="std", title="Feature importances using MDI")
fig.show()

# Gradient Boosting Models

## Simple GradientBoosting Model

### Pipeline Definition

In [None]:
cat_cols = Xmer_dataset.select_dtypes(include=["str", "category"]).columns
print("Categorical columns:", cat_cols.tolist())
bool_cols = Xmer_dataset.select_dtypes(include=["bool"]).columns
print("Boolean columns:", bool_cols.tolist())
num_cols = Xmer_dataset.select_dtypes(include=["int64", "float64"]).columns
print("Numerical columns:", num_cols.tolist())
passthrough_cols = [col for col in Xmer_dataset.columns if col not in cat_cols and col not in bool_cols and col not in num_cols]

numeric_transformer = Pipeline(
        steps = [("scaler", StandardScaler())]
    )

categorical_transformer = Pipeline([
        ("imputer", SimpleImputer(missing_values=np.nan, strategy="constant", fill_value="unknown")),
        ("encoder", OneHotEncoder(handle_unknown="ignore", drop="first"))
        ])
boolean_transformer = Pipeline([
        ("encoder", TargetEncoder(target_type="binary")),
        ])

preprocessor = ColumnTransformer(
        transformers=[
            ("cat", categorical_transformer, cat_cols),
            ("num", numeric_transformer, num_cols),
            ("bool", boolean_transformer, bool_cols)
        ]
    )

grad_model = Pipeline([
        ("preprocessor", preprocessor),
        ("classifier", GradientBoostingClassifier(n_estimators=300, max_depth = None, min_samples_split=30, random_state=RANDOM_STATE, n_iter_no_change=15, verbose=1))
    ])


Categorical columns: ['Attack Signature', 'Action Taken', 'Severity Level', 'Network Segment', 'Firewall Logs', 'Log Source', 'Year', 'Month', 'Day', 'Hour', 'Minute', 'Second', 'DayOfWeek', 'OS Name', 'Packet Bin', 'Browser', 'Device', 'Syn_feature_1', 'Syn_feature_2']
Boolean columns: ['Is Proxy', 'Global Source IP', 'Global Destination IP']
Numerical columns: ['Source Port', 'Destination Port', 'Packet Length', 'IsWeekend', 'Int Source IP', 'Int Destination IP', 'Syn_feature_3']


### Model fitting and result

In [None]:
X_train, X_test, y_train, y_test = train_test_split(Xmer_dataset, Y_true, test_size=0.2, stratify=Y_true, random_state=RANDOM_STATE)
start_time = monotonic()
grad_model.fit(X_train, y_train)
elapsed_time = monotonic() - start_time

# Suppress verbose output from score() and predict()
with suppress_output():
    score = grad_model.score(X_test, y_test)
    y_pred = grad_model.predict(X_test)
    report = classification_report(y_test, y_pred, target_names=labels)

print("Time taken to fit the model: %.2f seconds" % elapsed_time)
print("Model score: %.3f" % score)
print(report)

Time taken to fit the model: 211.95 seconds
Model score: 0.335
              precision    recall  f1-score   support

        DDoS       0.34      0.36      0.35      2686
   Intrusion       0.33      0.32      0.32      2653
     Malware       0.34      0.33      0.33      2661

    accuracy                           0.34      8000
   macro avg       0.34      0.34      0.34      8000
weighted avg       0.34      0.34      0.34      8000



### Feature Importance

In [None]:
importances = grad_model.named_steps['classifier'].feature_importances_
forests = [forest for forest in grad_model.named_steps['classifier'].estimators_]
std = np.std([tree.feature_importances_ for forest in forests for tree in forest], axis=0)
feature_names = [f"{x}" for x in grad_model.named_steps["preprocessor"].get_feature_names_out()]
forest_importances = pd.DataFrame({"feature": feature_names, "importance": importances, "std": std}).sort_values("importance", ascending=False)

fig = px.bar(forest_importances[forest_importances["importance"] > 0.01],x="feature",y="importance", error_y="std", title="Feature importances using MDI")
fig.show()

## HistGradientBoost Classifier

No need to use one hot encoder for this model

In [None]:
Xhist_dataset = X_dataset.copy()

### Pipeline Definition

In [None]:
cat_cols = Xhist_dataset.select_dtypes(include=["str", "category","bool", "object"]).columns.to_list()
print("Categorical columns:", cat_cols)
num_cols = Xhist_dataset.select_dtypes(include=["number"]).columns
passthrough_cols = [col for col in Xhist_dataset.columns if col not in cat_cols and col not in bool_cols and col not in num_cols]

numeric_transformer = Pipeline(
        steps = [("scaler", StandardScaler())]
    )

preprocessor = ColumnTransformer(
        transformers=[
            ("num", numeric_transformer, num_cols),
            ("cat", "passthrough", cat_cols)
        ]
    )

# Calculate indices of categorical features after preprocessing
# num_cols come first, then cat_cols
cat_feature_indices = range(len(num_cols), len(num_cols) + len(cat_cols))

hist_model = Pipeline([
    ("preprocessor", preprocessor),
    ("classifier", HistGradientBoostingClassifier(max_iter=300, max_depth=None, random_state=RANDOM_STATE, categorical_features=cat_feature_indices, verbose=1))
])



### Model Fitting

In [None]:
X_train, X_test, y_train, y_test = train_test_split(Xhist_dataset, Y_true, test_size=0.2, stratify=Y_true, random_state=RANDOM_STATE)
start_time = monotonic()
hist_model.fit(X_train, y_train)
elapsed_time = monotonic() - start_time

# Suppress verbose output from score() and predict()
with suppress_output():
    score = hist_model.score(X_test, y_test)
    y_pred = hist_model.predict(X_test)
    report = classification_report(y_test, y_pred, target_names=labels)

print("Time taken to fit the model: %.2f seconds" % elapsed_time)
print("Model score: %.3f" % score)
print(report)

Binning 0.008 GB of training data: 0.021 s
Binning 0.001 GB of validation data: 0.001 s
Fitting gradient boosted rounds:
Fit 33 trees in 0.233 s, (1023 total leaves)
Time spent computing histograms: 0.043s
Time spent finding best splits:  0.015s
Time spent applying splits:      0.015s
Time spent predicting:           0.001s
Time taken to fit the model: 0.28 seconds
Model score: 0.332
              precision    recall  f1-score   support

        DDoS       0.33      0.35      0.34      2686
   Intrusion       0.33      0.30      0.32      2653
     Malware       0.33      0.34      0.34      2661

    accuracy                           0.33      8000
   macro avg       0.33      0.33      0.33      8000
weighted avg       0.33      0.33      0.33      8000



# Model with Less features

## Model with no combination

We try to model using less features. All features related to post analysis are ommitted: we keep information related to IP, port packet length and month day as well as dayofweek

In [None]:
columns = ["Int Source IP", "Int Destination IP", "Protocol", "Packet Type", "Traffic Type", "Anomaly Scores", "Severity Level", "Month", "DayOfWeek"]
Xsimple_dataset = X_dataset[columns].copy()
Xsimple_dataset[["Month", "DayOfWeek"]] = Xsimple_dataset[["Month", "DayOfWeek"]].astype("category")

### Pipeline Definition

In [None]:
cat_cols = Xsimple_dataset.select_dtypes(include=["str", "object"]).columns
print("Categorical columns:", cat_cols.tolist())
bool_cols = Xsimple_dataset.select_dtypes(include=["bool"]).columns
print("Boolean columns:", bool_cols.tolist())
num_cols = Xsimple_dataset.select_dtypes(include=["number"]).columns
print("Numerical columns:", num_cols.tolist())
passthrough_cols = [col for col in Xsimple_dataset.columns if col not in cat_cols and col not in bool_cols and col not in num_cols]

numeric_transformer = Pipeline(
        steps = [("scaler", StandardScaler())]
    )

categorical_transformer = Pipeline([
        ("imputer", SimpleImputer(missing_values=np.nan, strategy="constant", fill_value="unknown")),
        ("encoder", OneHotEncoder(handle_unknown="ignore", drop="first"))
        ])

boolean_transformer = Pipeline([
        ("encoder", TargetEncoder(target_type="binary")),
        ])

preprocessor = ColumnTransformer(
        transformers=[
            ("cat", categorical_transformer, cat_cols),
            ("num", numeric_transformer, num_cols),
            ("bool", boolean_transformer, bool_cols)
        ])

param_grid = {
    "classifier__n_estimators": [100, 300],
    "classifier__max_depth": [None, 10, 20],
    "classifier__min_samples_split": [2, 10, 30]
}

nocomb_model = Pipeline([
    ("preprocessor", preprocessor),
    ("classifier", RandomForestClassifier(random_state=RANDOM_STATE, n_jobs=6, verbose=1))
    ])

Categorical columns: ['Protocol', 'Packet Type', 'Traffic Type', 'Severity Level']
Boolean columns: []
Numerical columns: ['Int Source IP', 'Int Destination IP', 'Anomaly Scores']


### Model Fitting and Result

In [None]:
X_train, X_test, y_train, y_test = train_test_split(Xsimple_dataset, Y_true, test_size=0.2, stratify=Y_true, random_state=RANDOM_STATE)
start_time = monotonic()
search = GridSearchCV(nocomb_model, param_grid)
search.fit(X_train, y_train)
elapsed_time = monotonic() - start_time

# Suppress verbose output from score() and predict()
with suppress_output():
    best_params = search.best_params_
    score = search.score(X_test, y_test)
    y_pred = search.predict(X_test)
    report = classification_report(y_test, y_pred, target_names=labels)

print("Time taken to fit the model: %.2f seconds" % elapsed_time)
print("Best parameters: ", best_params)
print("Model score: %.3f" % score)
print(report)

[Parallel(n_jobs=6)]: Using backend ThreadingBackend with 6 concurrent workers.
[Parallel(n_jobs=6)]: Done  38 tasks      | elapsed:    0.3s
[Parallel(n_jobs=6)]: Done 100 out of 100 | elapsed:    0.7s finished
[Parallel(n_jobs=6)]: Using backend ThreadingBackend with 6 concurrent workers.
[Parallel(n_jobs=6)]: Done  38 tasks      | elapsed:    0.0s
[Parallel(n_jobs=6)]: Done 100 out of 100 | elapsed:    0.0s finished
[Parallel(n_jobs=6)]: Using backend ThreadingBackend with 6 concurrent workers.
[Parallel(n_jobs=6)]: Done  38 tasks      | elapsed:    0.3s
[Parallel(n_jobs=6)]: Done 100 out of 100 | elapsed:    0.7s finished
[Parallel(n_jobs=6)]: Using backend ThreadingBackend with 6 concurrent workers.
[Parallel(n_jobs=6)]: Done  38 tasks      | elapsed:    0.0s
[Parallel(n_jobs=6)]: Done 100 out of 100 | elapsed:    0.0s finished
[Parallel(n_jobs=6)]: Using backend ThreadingBackend with 6 concurrent workers.
[Parallel(n_jobs=6)]: Done  38 tasks      | elapsed:    0.3s
[Parallel(n_job

Time taken to fit the model: 123.93 seconds
Best parameters:  {'classifier__max_depth': None, 'classifier__min_samples_split': 30, 'classifier__n_estimators': 100}
Model score: 0.334
              precision    recall  f1-score   support

        DDoS       0.35      0.35      0.35      2686
   Intrusion       0.33      0.32      0.33      2653
     Malware       0.32      0.32      0.32      2661

    accuracy                           0.33      8000
   macro avg       0.33      0.33      0.33      8000
weighted avg       0.33      0.33      0.33      8000



[Parallel(n_jobs=6)]: Done 100 out of 100 | elapsed:    0.7s finished


### Feature Importance

In [None]:
importances = search.best_estimator_.named_steps['classifier'].feature_importances_
forest = [forest for forest in search.best_estimator_.named_steps['classifier'].estimators_]
std = np.std([tree.feature_importances_ for tree in forest], axis=0)
feature_names = [f"{x}" for x in search.best_estimator_.named_steps["preprocessor"].get_feature_names_out()]
forest_importances = pd.DataFrame({"feature": feature_names, "importance": importances, "std": std}).sort_values("importance", ascending=False)

fig = px.bar(forest_importances[forest_importances["importance"] > 0.01],x="feature",y="importance", error_y="std", title="Feature importances using MDI")
fig.show()

## Model with feature combination

In [None]:
columns = ["Int Source IP", "Int Destination IP", "Protocol", "Packet Type", "Traffic Type", "Anomaly Scores", "Severity Level", "Month", "DayOfWeek"]
Xsm_dataset = X_dataset[columns].copy()
Xsm_dataset["Syn Feature 1"] = Xsm_dataset["Protocol"] + "_" + Xsm_dataset["Packet Type"] + Xsm_dataset["Traffic Type"]
Xsm_dataset = Xsm_dataset.drop(columns=["Protocol", "Packet Type", "Traffic Type"])
Xsm_dataset["Syn Feature 2"] = Xsm_dataset["Anomaly Scores"]**2
Xsm_dataset = Xsm_dataset.drop(columns=["Anomaly Scores"])
Xsm_dataset["Syn Feature 3"] = Xsm_dataset["Month"].astype(str) + "_" + Xsm_dataset["DayOfWeek"].astype(str)
Xsm_dataset = Xsm_dataset.drop(columns=["Month", "DayOfWeek"])

### Pipeline Definition

In [None]:
cat_cols = Xsm_dataset.select_dtypes(include=["str", "object"]).columns
print("Categorical columns:", cat_cols.tolist())
bool_cols = Xsm_dataset.select_dtypes(include=["bool"]).columns
print("Boolean columns:", bool_cols.tolist())
num_cols = Xsm_dataset.select_dtypes(include=["number"]).columns
print("Numerical columns:", num_cols.tolist())
passthrough_cols = [col for col in Xsm_dataset.columns if col not in cat_cols and col not in bool_cols and col not in num_cols]

numeric_transformer = Pipeline(
        steps = [("scaler", StandardScaler())]
    )

categorical_transformer = Pipeline([
        ("imputer", SimpleImputer(missing_values=np.nan, strategy="constant", fill_value="unknown")),
        ("encoder", OneHotEncoder(handle_unknown="ignore", drop="first"))
        ])
boolean_transformer = Pipeline([
        ("encoder", TargetEncoder(target_type="binary")),
        ])

preprocessor = ColumnTransformer(
        transformers=[
            ("cat", categorical_transformer, cat_cols),
            ("num", numeric_transformer, num_cols),
            ("bool", boolean_transformer, bool_cols)
        ]
    )
param_grid = {
    "classifier__n_estimators": [100, 200],
    "classifier__max_depth": [None, 10, 20],
    "classifier__min_samples_split": [2, 10, 30]
}


comb_model = Pipeline([
        ("preprocessor", preprocessor),
        ("classifier", RandomForestClassifier(n_estimators=300, random_state=RANDOM_STATE, n_jobs=6, verbose=1))
    ])

Categorical columns: ['Severity Level', 'Syn Feature 1', 'Syn Feature 3']
Boolean columns: []
Numerical columns: ['Int Source IP', 'Int Destination IP', 'Syn Feature 2']


### Model Fitting and Result

In [None]:
X_train, X_test, y_train, y_test = train_test_split(Xsm_dataset, Y_true, test_size=0.2, stratify=Y_true, random_state=RANDOM_STATE)
start_time = monotonic()
search = GridSearchCV(comb_model, param_grid)
search.fit(X_train, y_train)
elapsed_time = monotonic() - start_time

# Suppress verbose output from score() and predict()
with suppress_output():
    best_params = search.best_params_
    score = search.score(X_test, y_test)
    y_pred = search.predict(X_test)
    report = classification_report(y_test, y_pred, target_names=labels)

print("Time taken to fit the model: %.2f seconds" % elapsed_time)
print("Best parameters: ", best_params)
print("Model score: %.3f" % score)
print(report)

[Parallel(n_jobs=6)]: Using backend ThreadingBackend with 6 concurrent workers.
[Parallel(n_jobs=6)]: Done  38 tasks      | elapsed:    1.3s
[Parallel(n_jobs=6)]: Done 100 out of 100 | elapsed:    3.2s finished
[Parallel(n_jobs=6)]: Using backend ThreadingBackend with 6 concurrent workers.
[Parallel(n_jobs=6)]: Done  38 tasks      | elapsed:    0.0s
[Parallel(n_jobs=6)]: Done 100 out of 100 | elapsed:    0.0s finished
[Parallel(n_jobs=6)]: Using backend ThreadingBackend with 6 concurrent workers.
[Parallel(n_jobs=6)]: Done  38 tasks      | elapsed:    1.3s
[Parallel(n_jobs=6)]: Done 100 out of 100 | elapsed:    3.1s finished
[Parallel(n_jobs=6)]: Using backend ThreadingBackend with 6 concurrent workers.
[Parallel(n_jobs=6)]: Done  38 tasks      | elapsed:    0.0s
[Parallel(n_jobs=6)]: Done 100 out of 100 | elapsed:    0.0s finished
[Parallel(n_jobs=6)]: Using backend ThreadingBackend with 6 concurrent workers.
[Parallel(n_jobs=6)]: Done  38 tasks      | elapsed:    1.3s
[Parallel(n_job

Time taken to fit the model: 161.11 seconds
Best parameters:  {'classifier__max_depth': None, 'classifier__min_samples_split': 10, 'classifier__n_estimators': 100}
Model score: 0.331
              precision    recall  f1-score   support

        DDoS       0.33      0.34      0.34      2686
   Intrusion       0.33      0.33      0.33      2653
     Malware       0.33      0.33      0.33      2661

    accuracy                           0.33      8000
   macro avg       0.33      0.33      0.33      8000
weighted avg       0.33      0.33      0.33      8000



In [None]:
importances = search.best_estimator_.named_steps['classifier'].feature_importances_
forest = [forest for forest in search.best_estimator_.named_steps['classifier'].estimators_]
std = np.std([tree.feature_importances_ for tree in forest], axis=0)
feature_names = [f"{x}" for x in search.best_estimator_.named_steps["preprocessor"].get_feature_names_out()]
forest_importances = pd.DataFrame({"feature": feature_names, "importance": importances, "std": std}).sort_values("importance", ascending=False)

fig = px.bar(forest_importances[forest_importances["importance"] > 0.01],x="feature",y="importance", error_y="std", title="Feature importances using MDI")
fig.show()

# Weighted Features

Feature without weight didn't give any results. We now try to add weight to some features.
RFE or feature ranking with recursive feature elimination is used. It allow us to automatically test different weight accros different features

### Pipeline

In [None]:
Y_true = processed_data["Attack Type"].astype("category").cat.codes
labels = ["DDoS", "Intrusion", "Malware"]
X_dataset = raw_data.drop(columns=["Attack Type", "Global Source IP", "Global Destination IP", "Source IP Address", "Destination IP Address"])

cat_cols = X_dataset.select_dtypes(include=["str", "category"]).columns
print("Categorical columns:", cat_cols.tolist())
bool_cols = X_dataset.select_dtypes(include=["bool"]).columns
print("Boolean columns:", bool_cols.tolist())
num_cols = X_dataset.select_dtypes(include=["int64", "float64"]).columns
print("Numerical columns:", num_cols.tolist())
passthrough_cols = [col for col in X_dataset.columns if col not in cat_cols and col not in bool_cols and col not in num_cols]

_tmp = SimpleImputer(strategy="constant", fill_value="unknown").fit_transform(X_dataset[cat_cols])
_tmp_ohe = OneHotEncoder(drop="first", handle_unknown="ignore").fit(_tmp)
all_categories = _tmp_ohe.categories_

Boolean columns: []
Numerical columns: ['Source Port', 'Destination Port', 'Packet Length', 'Anomaly Scores', 'Int Source IP', 'Int Destination IP']


In [None]:
numeric_transformer = Pipeline(
    steps=[
        ("imputer", SimpleImputer(strategy="mean")),
        ("scaler", StandardScaler())
    ]
)

cat_transformer = Pipeline([
    ("imputer", SimpleImputer(missing_values=np.nan, strategy="constant", fill_value="unknown")),
    ("encoder", OneHotEncoder(drop="first", handle_unknown="ignore", sparse_output=True, categories=all_categories))
])

preprocessor_all = ColumnTransformer(
    transformers=[
        ("cat", cat_transformer, cat_cols),
        ("num", numeric_transformer, num_cols)
    ]
)

xgb_classifier = GradientBoostingClassifier(
    random_state=RANDOM_STATE, 
    n_estimators=200, 
    verbose=1
)

# Split data first
X_train, X_test, y_train, y_test = train_test_split(X_dataset, Y_true, test_size=0.2, stratify=Y_true, random_state=RANDOM_STATE)

# Apply preprocessing to convert DataFrame to array
X_train_preprocessed = preprocessor_all.fit_transform(X_train)
X_test_preprocessed = preprocessor_all.transform(X_test)

# Now use RFE only on the classifier with preprocessed array data
selector = RFE(
    estimator=xgb_classifier,
    n_features_to_select=None,
    step=0.6,
    verbose=2
)

In [None]:
start_time = monotonic()
selector.fit(X_train_preprocessed, y_train)
elapsed_time = monotonic() - start_time

# Suppress verbose output from score() and predict()
with suppress_output():
    score = selector.score(X_test_preprocessed, y_test)
    y_pred = selector.predict(X_test_preprocessed)
    report = classification_report(y_test, y_pred, target_names=labels)

print("Time taken to fit the model: %.2f seconds" % elapsed_time)
print("Model score: %.3f" % score)
print(report)

Fitting estimator with 173379 features.
      Iter       Train Loss   Remaining Time 
         1           1.0983           20.26m
         2           1.0980           20.02m
         3           1.0978           19.84m
         4           1.0975           19.73m
         5           1.0973           20.20m
         6           1.0971           20.00m
         7           1.0970           19.84m
         8           1.0968           20.05m
         9           1.0966           20.27m
        10           1.0964           20.71m
        20           1.0949           19.26m
        30           1.0936           18.01m
        40           1.0921           17.00m
        50           1.0907           15.81m
        60           1.0896           14.69m
        70           1.0885           13.58m
        80           1.0874           12.49m
        90           1.0861           11.44m
       100           1.0851           10.38m
       200           1.0750            0.00s
      Iter    

In [None]:
with open(data_path.joinpath("weight_features.pkl"), 'wb') as f:
    pickle.dump(selector, f)


### Feature Importance

In [None]:
importances = selector.estimator_.feature_importances_
std = np.std([tree.feature_importances_ for tree in selector.estimator_.estimators_], axis=0)
feature_names = [f"{x}" for x in preprocessor_all.get_feature_names_out()]
forest_importances = pd.DataFrame({"feature": feature_names, "importance": importances, "std": std}).sort_values("importance", ascending=False)

fig = px.bar(forest_importances[forest_importances["importance"] > 0.001],x="feature",y="importance", error_y="std", title="Feature importances using MDI")
fig.show()

AttributeError: 'numpy.ndarray' object has no attribute 'feature_importances_'

In [None]:
selector.estimator_